Priya Prasad Pataskar

I agree with your point Said. Auditor sure has a difficult job to do. Auditor must be friendly enough to let the auditee open up to discussions, but firm enough to give a non compliance for however small a concern may be. A smallest of non compliance has a potential to cause biggest breaches.
Auditors integrity determines his ability to make…[Read more]

SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain
SAP GRC module will help organization plan governance, establish regulations and compliance within the organization. Our guest speaker last week mentioned that spreadsheets come into picture while managing data which is not the most convenient way o…[Read more]

That is a great point Magaly. Automatic fraud detection would be difficult to achieve but may be possible to certain extend. I have mentioned in one of my posts that automated data entry would add level of accuracy. And if any inaccurate data is entered, fraud can be detected.
SAP supports Fraud Management Module. Mass detection transactions…[Read more]

I totally agree with your point. I think SAP should be more flexible in accepting automated data entry.
Automation in data entry would increase efficiency and involve less error points. Scanning barcodes , swiping cards to collect information, and reading barcodes from bills, receipts etc would ensure accuracy to a great extend and simplify data…[Read more]

Well said Daniel. Compliance to government is mandatory and should be priority.
I also think, compliance to industry standards is essential. Some governments would mandate compliance to certain standards.
Example, a company may decide to go for ISO27001 compliance, it might not be necessary but they still implement it as best practice.…[Read more]

I agree with you Wenlin. Data entry in SAP is the entry point of errors. Currently, radio frequency (RF) solution is implemented by SAP’s warehouse management. They use mobile RF terminals to automate entry to data into the system. They scan the information that needs to be recorded, using a bar codes. Example to verify the storage bins.

When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
Generally small businesses would face the issue of huge costs in implementing controls. A small scale business or a start up company may not want to implement certain controls for two…[Read more]

Nice post Yulun, I would like to add a point regarding sampling. I have many times seen that the sample size or samples get adjusted so that the internal auditor miss the samples where possible discrepancies would be present. Auditors must be equally involved in sampling. This would mean auditor must have independence to select samples.

Absolutely agree with you Annamarie. Risk assessment can reveal no only direct losses but the losses from other areas that one control failure can affect and the likelihood of occurrence. A risk-based approach in such a situation will enable organizations to manage risks in a balanced and efficient way that reflects the value that is being…[Read more]

Daniel, I have been involved in audits as an auditor and I know how much importance documentation holds. Your manager stressing on clear and accurate documentation is indeed important. An auditor gets involved in with the team or company only for a short span of time. It is very stressful for an auditor to understand the internal processes of…[Read more]

Nice point Said. In my experience, I have faced the problem you pointed. Teams look at internal auditors as if they are patrolling cops. They do not understand that internal auditors are the best to point out issues as they can be tackled within the company rather than getting highlighted in external audits. The whole purpose of internal audit is…[Read more]

Great post Sean. Jaspreet, I particularly liked the point regarding documentation of change. I could not agree more with this statement. Documentation is something that is missed as there is a lot of pressure for implementation. Generally while change is taking place the pressure of SLA breach is much more and people tend to give less importance…[Read more]

Indeed Annmarie. PFCG is a sensitive transaction. Each department will have their own answer to call a transaction sensitive. If we talk about department managing users and authorizations, then probably SU01 (User Maintenance), PFCG (Role Maintenance) and SCC4 (Client Administration) would be treated as senitive. Sensitivity is seen through the…[Read more]

That is a good point Yu Ming.
The transactions which have lot of controls of getting access to, would be the important ones. There might not be one correct answer and would depend on the business characteristics and situation of the business and the time of the year. A list of sensitive transactions is relative to your role and responsibilities.…[Read more]

Agree with your point Said. Accounting department would come at a point when transaction is half way through. Till this point lot of data will be collected and entered into the system. I think SOD is the answer here. Every department who are entering data into the ERP software must ensure its quality and accuracy. Setting up automated controls…[Read more]

I agree with your point Binu. Inaccurate data is more risky. I think excessive repetitive data can lead to inaccurate data. Repetitive data would be in place when there is improper integration of data. Lets say vendor details are present in vendor table as well as material table. If there is an update in vendor contact number and address and…[Read more]

Q] Master data in an ERP system is highly integrated with various processes and effects many parts of the organization. How does an organization assure this integration works well for all?
A] ERP contains combination of several modules like finance, sales and distribution, materials management, manufacturing and production control, human…[Read more]

You are right Paul. Its more tricky when a employee moves within the team. Example a person moving from development to production team. Access Management must ensure that the access is tracked.
To automatically detect and revoke unintended IAM access,
1. You can create an IAM policy that will deny access to API call
2. You create an IAM role…[Read more]

You are right Magaly. It is also important to spread awareness about usage of public wifi. The most important is to select the security setting when connecting to public wifi. Generally many people tend to select ‘private’ in fact they should select ‘public’ settings so that the security is maximum.

Nice example Vu Do. But sometimes approvals come in he way of time management. I have had experiences where few managers were on leave and hence approval went pending for a week, which means delay of a week to start my work.
Another point that occurs to my mind is the documentation of approvals. It is necessary to keep the records of approvals…[Read more]